About Orbital

Orbital is a cloud-based, attack research and response tool. It allows the user to gather system and security information from the client’s networked devices and to respond to any threats found.

To accomplish this, Orbital allows you to query your network’s devices, using SQL, and then use Python scripts to respond to any found threats. Orbital uses osquery to allow SQL queries to run against your organization’s endpoints. Creating and running Orbital queries and scripts is performed on the Investigate page.

The results for the queries and scripts that have been run can be found listed on the Results page. Result details can be viewed by drilling down into the individual results listed on the Results page.

Orbital’s Catalog provides hundreds of carefully researched and tested queries and scripts. Additionally, you can write your own SQL queries and Python scripts, which can be saved to the Catalog or discarded after a single use.

Important Points of Note:

• Orbital supports the use of proxies, except SSL terminating proxies. All operating systems can be used with proxies.

• Apple Silicon is supported when running macOS 11 or newer.

• The screen captures in these Help topics may not always reflect the latest product names or UI enhancements.

Table of Contents

• How Do I Get Orbital?
  • Secure Endpoint
  • Enable Orbital
  • How to Set Up Orbital with Secure Endpoint
  • Explore the Orbital User Interface
• What’s New?
• Frequently Asked Questions
• System Requirements
  • Cisco XDR or SecureX Admin Users
  • Supported Platforms
  • Supported Browsers
  • Network Connectivity
    • Proxy Support
    • North American (NAM) Customers
    • European (EU) Customers
    • Asian and Pacific (APJC) Customers
  • Orbital Integrations
    • Using Orbital with Secure Malware Analytics
    • Using Orbital with Cisco XDR or SecureX
    • Linkable Cisco XDR or SecureX Integration Modules
    • Using Orbital From Cisco Secure Malware Analytics
  • Orbital Nodes
    • Support Policy for Orbital Node Versions
    • The Orbital Node’s Impact on Network and Endpoint Infrastructure
    • Orbital Node Version Releases
    • Python
      • Python Libraries Included With Script
      • Script Limits
      • Script Parameters
        • Escaping Special Characters
        • Examples of Using Script’s Parameters in Python
      • Script Parameter Definition Through the Orbital User Interface
      • Script Exit Codes
        • Special Orbital Exit Codes
        • Using stderr In Scripts
  • What is osquery?
    • Differences Between Stock and Orbital’s osquery
  • Orbital Settings My Account Tab
    • Setting the Time Options
    • Setting the Default Interval
    • Setting the Default Remote Data Store
  • Orbital Settings User Tab
    • The Manage users in Cisco XDR or SecureX Link
    • The Show Disabled Users Toggleswitch
    • The User List Panel
    • The Previous/Next Buttons
  • Remote Data Stores
    • Under The Hood
    • Destinations for Remote Data Stores
      • Regional NAT IP Addresses
    • Remote Data Store Errors
    • Managing Your Remote Data Storage Definitions
      • Adding a Remote Data Store
      • Editing a Remote Data Store
      • Deleting a Remote Data Store
      • Setting the Default Remote Data Store for Your Profile
        • Setting Multiple Default Remote Data Stores
      • Fingerprints for Remote Data Stores
  • Orbital Settings Organizations Tab
    • Turning On the Script Feature
    • Turning Off the Script Feature
    • Linking Organizations
  • Results Notifications
    • Orbital Structures Result Notifications
      • RDS Payloads
• Investigate
  • Builder
  • Favorites
  • My Recent History
  • Explore More
  • MITRE ATT&CK Adherence
    • The MITRE ATT&CK Indicator
  • Orbital Queries
    • About SQL
      • SELECT Statement
    • Types of Orbital Queries
      • Ad Hoc Queries
      • Scheduled Queries
    • Query Prefixes
      • Special Prefixes
      • Dynamic Prefixes
      • Static Prefixes
      • The all Prefix
      • The allowos Filter and the Orbital Query Catalog
      • Query Success
    • Schedule Orbital Queries
      • Scheduled Query Behavior
      • Schedule Orbital Query Popup
        • Multiple Data Store Sources
      • How to Schedule a Query
        • How to Select Multiple Remote Data Stores
    • Using Orbital Queries
      • Endpoints - Choose the Query Target
      • SQL - Enter a Query
      • Running an Ad Hoc Query From the Catalog
      • Saving A Query To the Catalog
      • Ad Hoc Query
      • Download
    • Linked Queries
      • Using Linked Queries
        • Accessing Linked Queries
        • Accessing Linked Queries from the Investigate Page
        • Accessing Linked Queries from the Results Page
  • Orbital Scripts
    • Turning Off Script
    • Linkable Scripts
    • Schedule Orbital Scripts
      • Scheduled Script Behavior
      • Schedule Orbital Script Popup
        • Multiple Data Store Sources
      • How to Schedule a Script
        • How to Select Multiple Remote Data Stores
    • Using Orbital Scripts
      • Endpoints - Choose the Script Target
      • Enter a Script
      • Running a Ad Hoc Script From the Catalog
      • Saving A Script To the Catalog
      • Ad Hoc Script
      • Download CSV
• Orbital Results
  • Expired Results
  • Query Results
    • Query Results Page
      • Scheduled Query Run Time Display
    • Query Result Details
      • The Query Result Details Controls Pane
      • The General Query Information Pane
      • The Query Results Details Node List Pane
      • The Query Results Node Details Pane
  • Script Results
    • Script Results Page
      • Scheduled Script Run Time Display
    • Script Result Details
      • The Script Result Details Controls Pane
      • The General Script Information Pane
      • The Script Results Details Node List Pane
• Orbital Catalog
  • Query Catalog
    • The Edit Query Function
    • Using the Query Catalog
      • Viewing Catalog Queries
      • Finding Catalog Queries with Filter and Search
      • Editing a Custom Query
      • Copy or Add the SQL to a New Query
      • Upload Queries
      • Download Organization Queries
      • Download Query Template
  • Script Catalog
    • The Edit Script Function
    • Using the Script Catalog
      • Viewing Catalog Script
      • Finding Catalog Script with Filter and Search
      • Editing a Custom Script
      • Copy or Add the Python to a New Script
      • Download Organization Scripts
• Endpoints Page
  • View Endpoint Information
  • Using allowos In Endpoint Searches
  • Download
    • Downloading All Endpoint Records for Your Organization
• Orbital APIs
  • Examples
  • Orbital Service Addresses
  • Request ID
  • Orbital’s Script API
  • Client Authentication
    • Creating a New Client
    • Getting an Access Token
    • Checking Your Token
  • Orbital API Errors
    • 400 Invalid Request
    • 401 Unauthorized
  • Query API
    • Request Parameters
    • osquery Objects in Queries
    • Postback Objects in Queries
      • Postback Fields
    • Specifying Nodes as Subjects of Queries
    • A Number of Prefixes are Also Available to Identify Nodes by Specific Properties
    • Machine Identifier
    • Query API Limits
    • The None of the specified nodes were found Error Message
    • Example 1: Getting a List of Processes From the Front Desk
      • Scheduled Query Example
      • Live Query or Probe Example
    • Example 2: A Non-Stock Query
      • Scheduled Query Example
      • Live Query or Probe Example
    • Example 3: A Stock Query
      • Scheduled Query Example
      • Live Query or Probe Example
    • Example 4: A Postback, Using an Existing Webhook
      • Scheduled Query Example
      • Live Query or Probe Example
    • Example 5: A Postback, Using a Live Webhook
      • Scheduled Query Example
      • Live Query or Probe Example
  • Results API
    • Example 1: Collecting Lists of Processes
    • Example 2: Collecting More Results
    • Request Parameters
  • Webhook API
    • Create a Remote Data Store
      • Request Parameters
      • Request Payload Format
      • Example of Success
      • Example Of Failure
    • Get a Remote Data Store
    • List Remote Data Stores
  • Orbital OK API
    • GET /v0/ok
      • 200 OK
  • WMI Classes
• Orbital Yara Rules and System Configuration
  • Linux Yara Rules
  • Linux osquery Daemon Configuration
  • Linux osquery Client Configuration
  • macOS Yara Rules
  • macOS osquery Daemon Configuration
  • macOS osquery Client Configuration
  • Windows osquery Client Configuration
• Orbital Troubleshooting
  • SSL Proxies
  • Orbital and osquery Logging
  • Orbital Service (Node) Not Installing
  • Last Seen Timestamps
  • Orbital-related Secure Endpoint Events
  • The Constraint Failed Error Message
  • Windows Troubleshooting
    • Windows Installer References
    • Orbital Installation Failed
    • Powershell Events Not Enabled by Default
    • Troubleshooting Tools
      • Logs
      • Secure Endpoint Diagnostics
    • IP Connectivity Tool
  • macOS Troubleshooting
    • macOS Installer References
    • Orbital Installation Failed
    • Troubleshooting Tools
      • Logs
      • Secure Endpoint Diagnostics
  • Alerts, Errors, and Warnings
    • Alerts
    • Errors
      • Orbital Service (Node) Not Installing
      • 403 Unauthorized Query
      • 400 Invalid Query
      • 500 Query Expired
      • 500 Query Failed
    • Warnings
• Glossary